CSRF/XSRF prevention in Restlet
I am using Restlet 2.2.0 and CookieAuthentication with an embedded Jetty plugin. In my application, I have 2 sets of pages. 1) Pages that can be viewed by an unauthenticated user 2) Pages that can be viewed only by an authenticated user In both cases, I want to prevent CSRF/XSRF attack. It seems that by default Restlet applications are vulnerable to CSRF/XSRF unless we do something to prevent this. I could not figure out what to do in my application to prevent such attacks. I have read about many solutions in the internet, but none of them are discussing in reference to Restlet applications. I would appreciate if someone can guide me on how to prevent a Restlet application from CSRF/XSRF attacks. Thanks, Ramesh -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/CSRF-XSRF-prevention-in-Restlet-tp7579375.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3128028
Re: Transparent reverse proxying using org.restlet.routing.Redirector
Arjohn Kampman-2 wrote We've updated from restlet 2.1.4 to 2.2.0 now and to our surprise this fixed the Redirector problems. In fact, Redirector works perfectly out-of-the-box, including the digest authentication. No subclassing required. So probably this was a bug in 2.1.4 that has been fixed somewhere in the 2.2 development. Thanks for this info, which gives me some confidence that I can get this working too with some help. In order to set the authentication information for a MODE_SERVER_OUTBOUND redirection, I added a filter (code shown below), in front of the Redirector, to set the ChallengeResponse as shown below. But I could never get this authentication work successfully, since the server always fails authentication for the passed username/password. I would appreciate if you could share the details on how you passed the authentication details to the Redirector. public class MyRedirectorAuthenticatorFilter extends Filter { public MyRedirectorAuthenticatorFilter(Context context) { this.setContext(context); } @Override protected int doHandle(Request request, Response response) { String username = username; String password = plaintext password; request.setProxyChallengeResponse(new ChallengeResponse( ChallengeScheme.HTTP_DIGEST, username, password)); return super.doHandle(request, response); } } And in my application, I have, String target2 = http://localhost:8080/MyWebApp{rr};; Redirector redirector2 = new Redirector(getContext(), target2, Redirector.MODE_SERVER_OUTBOUND); MyRedirectorAuthenticatorFilter myfilter = new MyRedirectorAuthenticatorFilter(getContext()); myfilter.setNext(redirector2); router.attach(/myapp, myfilter); Appreciate your help on this. -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/Transparent-reverse-proxying-using-org-restlet-routing-Redirector-tp7579113p7579179.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078323
Re: How to use CookieAuthenticator?
Thanks Jerome Louvel for your understanding and quick action. I have been trying last 3 days to get it work. I tried many possible ways to get it work. But still I didn't success. I guess it would be very simple implementation in the loginPost server resouce. Can you please throw some clue to get it work ? I can contribute user guide once I can setup cookie authentication. @Post public Representation post(Representation details) { Form form = new Form(details); String username = form.getFirstValue(login); String password = form.getFirstValue(password); String targetURI = getQueryValue(targetURI); ..//What todo here ??? } - Ramesh -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/How-to-use-CookieAuthenticator-tp7578835p7579061.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3072932
Re: How to use CookieAuthenticator?
Pieter Martin pietermartin at lavabit.com writes: Hi, Took me a while but I did get it working, Here is what I did. In my restlet application I set up the CookieAuthenticator as follows public class CMRestletApplication extends Application {... Hi Pieter Martin, Thanks for the example. I tried to follow it. I am stuck with the /rest/special/loginPost action. Can you please post the code for the loginPost request ? I have a secretverifier implementation which is not called for cookie authenticator. Thanks, Ramesh -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3072851
Nested object de-serialization in JsonRepresentation not working
I have an Order class and OrderDetail model as described below. class Order { long id; String description; CollectionOrderDetail details; public CollectionOrderDetail getDetails() { return details; } other methods } class OrderDetail { long id; String productId; String qty; ... methods here... } And I have a JSON string of one Order with nested collection of OrderDetail. And I am trying to de-serialize this json string into Order object and expecting that the Order object will now contain the OrderDetail collection also as expected. But it is not working as expected. Here is the code snippet I have: JacksonRepresentationOrder jsonRepresentation = new JacksonRepresentationOrder(representation, Order.class); System.out.println(jsonRepresentation.getText()); // HERE IS THE CULPRIT Order order = jsonRepresentation.getObject(); CollectionOrderDetail details = order.getDetails(); 1) When I do jsonRepresentation.getObject(), it is throwing an exception. (java.io.EOFException) java.io.EOFException: No content to map to Object due to end of input Why is that jsonRepresentation.getText(), causing the subsequent getObject to fail? 2) I have an extended Collection class called ForeignCollection, which is simply a subclass of Collection. In order to use ForeignCollection instead of Collection, what do I have to do in Restlet? I am getting the following error when I change Collection to ForeignCollection in the above two classes - Order and OrderDetail: (org.codehaus.jackson.map.JsonMappingException) org.codehaus.jackson.map.JsonMappingException: Can not find a deserializer for non-concrete Collection type [collection type; ForeignCollection, contains [simple type, class Order] I am using Restlet 2.1.2. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3070147